Monday, January 27, 2014

Description

An exploitable remote code execution vulnerability exists in Pidgin's implementation of file:// URL handling. An attacker can supply a remote path which will be evaluated by ShellExecute and can be leveraged to execute arbitrary code. While the operating system (e.g., Windows) blocks execution of several file formats and provides a prompt to the user asking for permission, this can be bypassed by specifying alternate file types and we have achieved code execution using .jar files.

Tested Versions

Pidgin 2.10.7

Coverage

SIDs 28089 and 28090

Details

An attacker can pass arbitrary paths to ShellExecute() when a user clicks on a URL delivered in any of the communication protocols supported by Pidgin on the Windows platform. If this URL specifies a file:// protocol handler, the URL will be executed by the shell.Pidgin attempts to filter file:// URLs and will try to execute them as an argument to the command "explorer.exe /select" in the function file_open_uri() in file pidgin-2.10.7\pidgin\gtkutils.c:3279 if (purple_str_has_prefix(uri, "file://"))3280 {3281 gchar *escaped = g_shell_quote(uri);3282 gchar *param = g_strconcat("/select,\"", uri, "\"", NULL);3283 wchar_t *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL);32843285 code = (int)ShellExecuteW(NULL, L"OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL);...3290 } else {3291 wchar_t *wc_filename = g_utf8_to_utf16(uri, -1, NULL, NULL, NULL);3294 code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL, SW_SHOW);However, due to the way this function is called, a URL will never start with the file:// scheme. The following code shows how the function is called (also in gtkutils.c):3361 #define FILELINKSIZE (sizeof("file://") - 1)3362 static gboolean file_clicked_cb(GtkIMHtml *imhtml, GtkIMHtmlLink *link)3364 {3365 const char *uri = gtk_imhtml_link_get_url(link) + FILELINKSIZE;3366 file_open_uri(imhtml, uri);3367 return TRUE;3368 }This strips out the file:// scheme from the URL before calling the file_open_uri() function, ensuring that the check at line 3279 will never be true (unless URL that starts with file://file:// is provided).When we tested Pidgin on Windows 7, for example, WebDAV paths ending in file extensions such a .exe and .bat were filtered by the OS. However, the user can simply supply a path to an unfiltered file type such as a Java .jar to have the user download and execute arbitrary code if they have the Java Runtime Environment installed. Note, this is just one example and other file formats can be used. It's also worth noting the attacker can also control the displayed string for the URL, so the true destination of a clicked URL can be obfuscated.